Google Holds Out Against ‘Do Not Track’ Flag

And then there was Chrome.

Apple made it clear this week that the next version of its Safari browser — which will ship with the upcoming version of Mac OS — will include the ability for users to tell websites not to track them, by using what’s known as the ‘Do Not Track’ header, according to The Wall Street Journal.

It’s a technically simple change that Mozilla (the maker of Firefox) and Microsoft (the maker of IE) have already included in their newest browsers. Those companies included the change despite the fact that no one has actually defined what tracking is. So far only two ad networks, Blue Kai and Chitika, have pledged to obey the flag.

That leaves Chrome, the browser created by the online-advertising giant Google, alone in not supporting the nascent feature. And according to Google, it has no plans to do so anytime soon.

‘The idea of Do Not Track is interesting, but there doesn’t seem to be wide consensus on what tracking really means.’

“The idea of ‘Do Not Track’ is interesting, but there doesn’t seem to be wide consensus on what ‘tracking’ really means, nor on how new proposals could be implemented in a way that respects people’s current privacy controls,” a Google spokeswoman told Wired.com by e-mail. “We’re encouraged that standards bodies are working on these issues, and we will continue to be involved closely.”

Instead of “Do Not Track,” Google says it offers a plug-in for Chrome called “Keep My Opt-Outs,” which prevents users from deleting opt-out cookies from advertising networks when they delete their cookies. Third-party ad networks, including Google’s Display Ad network, use cookies on the sites they advertise on to watch what users do across the net, in order to make guesses about their interests. They then can sell ad space at a premium to advertisers, offering them the opportunity to show ads for trucks only to young men interested in sports, for instance.

Currently, none of those networks pays any heed to users who choose to turn on the “Do Not Track” flag, but do pledge to respect opt-out cookies that can be set in bulk on the Network Advertising Initiative opt-out page. Google says it will have a version of the cookie-retaining plug-in for IE and Firefox soon.

The plug-in Google built mimics the functionality of one built by Indiana University security researcher Christopher Soghoian in 2009, drawing on Google’s own open source code. Ironically, Soghoian was also the first to suggest the idea of a DNT header, rather than a centralized list, and helped build the first prototype last summer.

Soghoian says Google’s current lack of support from its ad side is “pretty shocking,” given that the company just got slapped by the FTC over privacy.

“Even more shocking is the lack of support from the Chrome team,” Soghoian says, pointing out that Google Chrome routinely supports tech specs that haven’t been standardized by the Internet Engineering Task Force or IETF.

In fact, Apple has many of the same concerns. In a new paper about online privacy (.pdf) submitted to the W3C standards-setting body, Apple questioned what “tracking” means online. It argued that sending a “Do Not Track” signal to a website would only work for sites that decide to obey it, calling it “akin to hanging a ‘privacy, please’ door hanger on an unlocked door –- most will respect it, but the persistent will simply walk in.”

There is, therefore, an urgent need to document what, fairly exactly, it means. What stops working? If nothing stops working, from the user’s point of view, there is a risk that it will be turned on all the time. Can I login? Buy something? What constitutes ‘track’? If someone buys something, I can obviously record the purchase, and pretty clearly the affect [sic] on my inventory. Am I allowed to record statistical data (e.g. the type of goods bought at different times of day)? At what point does this ‘personally derived data’ turn into ‘tracking’?

Even though the FTC and the Commerce Department are behind the new technology, both companies are correct that it’s not clear what counts as tracking. For instance, if you are signed into your Facebook or Google account, can those sites catalog what you do, even if you have the flag on?

What about companies that provide analysis of what users do in bulk on a website — such as telling you how many people visited a given page and how many pages on average a visitor looks at? And what about so-called “A/B” testing tools that let sites experiment by showing one logo to one set of visitors and another to a different set of users, to see which logo is more likely to convince people to sign up for the service?

But Soghoian argues that both Google’s ad program and its analytics program already let users opt out, so why not simply adopt the “Do Not Track” flag as another signal to opt out.

Answering his own question, he says it’s about money that Google stands to lose if users of its browser get an easy way to opt out of its advertising tracking.

“The opt-out cookies and their plug-in are not aimed at consumers,” Soghoian says. “They are aimed at policy makers. Their purpose is to give them something to talk about when they get called in front of Congress. No one is using this plug-in and they don’t expect anyone to use it.”

Of all the major browser makers, Google would have the most to lose if many people starting setting the flag and companies were forced, by public opinion or law, to obey it. While Google’s largest source of ad money — search ads related to search terms — doesn’t rely on behavioral tracking, its growing business of display advertising (on other websites and in YouTube) does.

Ironically, the DNT header is likely not to affect Facebook, the net’s single largest display advertiser and the one company Google seems to fear. Although the social networking site knows every page you visit that has a “Like” button or Facebook widget (at least while you are signed into Facebook), the company says it doesn’t keep that data for long and doesn’t use it to create a profile. Instead, it targets the ads inside Facebook relying on the data its users put in its profile — which is not likely to count as “tracking” if a spec is finalized.

In that process, Google’s concerns are being ironed out, according to Soghoian.

A first pass by a Mozilla engineer and two Stanford researchers at defining the problem for the IETF suggests that sites that get opt-in consent from users can ignore the flag. So, for example, if Facebook asked users if they would mind having Facebook know what sites they visit around the web with “Like” buttons, Facebook can make use of that data, even if a user has the “Do Not Track” setting. Tracking users around your own site would be fine, as would be analytics software, including those run by third parties, so long as the data isn’t shared with other companies.

Even if Google adopts it, right now the tool is in some ways toothless.

In absence of legislation, the “Do Not Track” header doesn’t mean anything legally — unless a company promises to obey it, but then doesn’t. That’s a situation the FTC or state attorneys general could look into under current law. But otherwise, an ad network can simply ignore it, with no legal consequences.

Privacy legislation introduced this week by Sens. John Kerry (D-Massachusetts) and John McCain (R-Arizona) tightens information-sharing rules, and could include a mandate requiring U.S. companies to follow the DNT flag.

And finally, Apple and Microsoft’s decision to include the “Do Not Track” header in their browsers (and Google’s not to) brings up the question of how such a rule would apply on mobile devices and whether there should be a “Do Not Track” flag for mobile apps. Right now, there’s no way to get a “Do Not Track” –capable browser on the iPhone, and Android users need to switch to Firefox Mobile to get the flag.

Mobile apps have come under scrutiny from the press and even the Justice Department for allegedly mining users’ data in secret.

But to have a “Do Not Track” setting for apps would require the app platform makers — Google, Apple, RIM and Microsoft — to bake it into their OSes, which is a trickier situation businesswise, because the two dominant platform makers, Google and Apple, are battling over supremacy in the growing market for in-app ads.

Which is a long way of saying that the “Do Not Track” header is a simple technical change that is likely to have profound effects on the online world and the politics that surround it.

Chrome didn’t have to be last to the antitracking party, which shows no sign of ending soon, because Google was in on the first call when the idea was proposed, according to Soghoian.

“Google could have been first, but instead they will be last,” Soghoian said.